Tuesday, March 22, 2011

Updating Group Membership “Dynamically”

I have created this script based on a question posted on the .  This script can be used to “dynamically” update the group member based of a LDAP attribute. 

In this example, I will be adding users who have the location attributes (l) populated with “SiteA” value into a security group called SiteA. 

The following command will remove the existing group members from SiteA group. 

dsget group "CN=SiteA,OU=TestOU,DC=Infralab, DC=local" -members | dsmod group "CN=SiteA,OU=TestOU,DC=Infralab, DC=local" –rmmbr


and the following command will filter all objects based on the location code (l=SiteA) and add them to the SiteA group. 

dsquery * -Filter "(l=SiteA)" | dsmod group "CN=SiteA,OU=TestOU,DC=Infralab, DC=local" -addmbr


You can use the same logic to copy group members from one group to another.  Here is an exmaple:

dsget group "CN=Group1,OU=TestOU,DC=Infralab, DC=local" -members | dsmod group "CN=Group2,OU=TestOU,DC=Infralab, DC=local" -addmbr

The above command will copy members from Group1 to Group2.



Is it possible to exclude users who belong the group already?

I would appreciate it shows me how to do it.


I am having a problem using the first of these commands, I am getting the "dsmod failed:You must specify at least one attribute to be modified."

here is my exact command issued via powershell

dsget group "CN=grp.sig.retail,OU=SignatureGroups,OU=GroupsAndUsers,DC=americanchartered,DC=com" -members | dsmod group "CN=grp.sig.retail,OU=SignatureGroups,OU=GroupsAndUsers,DC=americanchartered,DC=com" –rmmbr

that fails with the above error, running the first part before the pipe returns a list of the group members, as expected.

The CN is exatly the same as I "copy and pasted" it from the DSGET part of the command.

Any help would be greatly appreciated

Thanks Bob Sawyer

Post a Comment

Popular Posts


Twitter Delicious Facebook Digg Stumbleupon Favorites More